IT Security Trapdoors and Backdoors

Updated: October 30, 2007

Issue

IT security consultants are primarily honest, trustworthy professionals. A small minority, however, abuse their privileged status to plant backdoors into business applications and other programs in order to provide unauthorized access to critical system data and services. A backdoor is typically created by installing code that either recognizes a special input sequence — such as a password — or a certain username.

Once in place, a backdoor allows the perpetrator — and any other people he cares to share his secret with — to view and download data, run programs or even obtain complete system access and control. Backdoors have been used to steal credit card numbers, download secret business plans, siphon funds from company accounts and for a variety of other illegal activities.

Crooked consultants plant trapdoors because they believe that they are clever and won't get caught. Unfortunately, this is true in many cases. A backdoor can generate quick riches, and many perpetrators are able to escape without a trace. On the other hand, this doesn't mean that businesses are powerless to defend themselves against backdoors and their creators. Careful planning and thorough oversight can ensure that only honest, backdoor-free software is installed on company systems.

Analysis

Removing a backdoor is a difficult and complex process. The ideal approach is to make sure that a backdoor is never planted in the first place. This is best achieved by hiring a security consultant who works for a well-known and respected organization; an individual with an extensive track record of working with companies in a particular field. The worst approach is to hire a consultant, perhaps via a Craigslist ad or a newspaper classified, without asking for credentials and a verifiable list of clients.

Hiring a qualified, verified consultant greatly decreases the chance that a backdoor will be planted, but it isn't a rock-solid security guarantee. Businesses still need to regularly check their systems for the presence of unauthorized code. A variety of vendors — including Tenable Network Security — offer tools that help businesses scan and audit their computers and networks for the presence of backdoors.

Many businesses could dramatically enhance their IT security and decrease the backdoor threat if they simply installed the free security patches and malware-removal tools provided by software vendors. That's always a good idea, since removing a detected backdoor is as difficult as eradicating any serious piece of malware . In many instances, the only solution is to wipe the system clean and reinstall a backdoor-free version of the software.

One thing that any business that discovers a backdoor needs to do is determine how the code was planted. In some cases, a consultant (or an in-house IT employee) may inadvertently install commercial software that includes a backdoor. Some software vendors include backdoors in their products to enable maintenance tasks or to recover lost passwords. This is a bad practice, but it happens. So check with the appropriate vendor before accusing a consultant of planting backdoor code. On the other hand, if all evidence points to the fact that a backdoor was indeed installed by a consultant, report the incident to the police. Backdoor seeding is a crime, not a civil matter. Law officers, not company representatives, are best equipped to confront and handle potentially dangerous data thieves.

In the 1980s and 1990s, business applications and data were largely confined within and protected by a Local Area Network (LAN). The 2000s introduced a significant change. Download this white paper now to learn why the shift to the cloud is changing how companies think about and manage their IT infrastructure. more

Microsoft moved to the cloud in 2014, and, as a result, Office 365 is taking off. Now, Okta customers are connecting to Office 365 in increasing numbers. This eGuide explains why IT departments should plan and deploy solutions around identity and mobility management in concert with their Office 365 roll out to get maximum user adoption. more

For most companies, Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) play a central role in coordinating identity and access management policies. When on-premise applications are integrated to Active Directory or LDAP, users get the best possible experience. That's why Okta's cloud-based identity and access management service provides a highly useful single integration point. more

With more and more businesses adopting Software-as-a-Service (SaaS) applications, enterprise IT is fundamentally changing. This whitepaper presents the eight biggest Identity and Access Management (IAM) challenges associated with adopting and deploying cloud and SaaS applications, and discusses best practices for addressing each of them. more

Learn how Pulse Secure and leading MDM product partners are transforming the way employees and IT benefit from the productivity and flexibility of BYOD — without compromising security or increasing management complexity. more